Vanderbilt REDCap Stored Cross-Site Scripting Vulnerability in Public Survey Function

A stored cross-site scripting vulnerability has been identified in the Public Survey function of Vanderbilt REDCap version 13.1.9. This vulnerability allows authenticated users to inject arbitrary web scripts or HTML by placing a crafted payload in the 'Survey Title' and 'Survey Instructions' fields. Exploitation of this issue could lead to the execution of malicious scripts when the survey is accessed via its public link.

Impact

Exploitation of this vulnerability could allow for the execution of injected scripts in the context of the user viewing the survey, potentially leading to the theft of sensitive information or manipulation of the survey's functionality.

Reproduction

To reproduce this vulnerability, navigate to the 'Designer' module within a project in REDCap 13.1.9. Select the default survey instrument and inject a JavaScript payload into the 'Survey Title' and 'Survey Instructions' fields. After submitting the survey, access it through the generated public link to observe the execution of the injected script.

Remediation

Users are advised to update REDCap to version 14.2.1 or later.